I was first introduced to BigFix in late 2012 - at first I complained at the choice to implement their own query and action languages over using known OS specific languages.
It took me too long to realize the benefits of BigFix - My goal here is to be BigFix Positive instead of comparing faults of other tools. I also don't want to get into all the features of BigFix just the ones that have me recognizing it's power.
BigFix Relevance language combined with Powershell/VBS/Command Prompt
Recent Example:
http://support.bigfix.com - Inspector Relevance - has great documentation on the relevance language and links to the documentation for BigFix ActionScript. The Fixlet debugger may be downloadable without a login from BigFix and you can experiment with the language and power of it (some items won't work without a BigFix client installed which requires a license).
It took me too long to realize the benefits of BigFix - My goal here is to be BigFix Positive instead of comparing faults of other tools. I also don't want to get into all the features of BigFix just the ones that have me recognizing it's power.
BigFix Relevance language combined with Powershell/VBS/Command Prompt
Recent Example:
- Cisco Remote Code Execution Vulnerability in WebEx browser add-ons and extensions
- I was tasked with identifying the machines with the extension installed in Chrome and then forcing them to upgrade to the latest version.
- In BigFix I created an analysis that used a Relevance query to look at all of a machines user profiles, find the chrome appdata directory, look through any chrome profiles, for the folder matching the GUID of the WebEx Extension and retrieve the version. In about 1-2 hours I had perfected the query and had the results from majority of the enterprise's online clients (~8000 machines)
- Next using the same query I created a Fixlet that used the query as relevance, and portions of the query intermixed with BigFix ActionScript to insert Registry Values for the affected machines to make the Cisco WebEx Extension an Administrator enforced extension so that on next launch of chrome the latest version of the Extension would be downloaded and installed despite any user changes to settings that might have prevented an automatic update.
- By the end of the afternoon I started to see the affected client counts drop and I had a great analysis that I could report that showed the dispersion of versions of the Chrome WebEx plugin that I could easily pass on to security and management over the coming few days as clients relaunched chrome. (we did not force terminate chrome on users)
- One of the really nice built-in no fuss solutions from Bigfix is that when new versions of software are released to fix vulnerabilities BigFix within a day has a package available to deploy to update.
- Examples: Adobe Flashplayer, Reader, Google Chrome, Microsoft Windows, Office, Notepad++, etc.
- With Chrome we do have customizations to apply post install. The original author of our Chrome update job had about 200 lines of commands and scripts that handled 32-bit and 64-bit separately because he wasn't using Relevance to the full extent.
- With Relevance language and making use of it's parameters (variables) I got the install script down to about 80 lines of code. When Google and BigFix released an updated package we could copy all but the first 4 lines that specify the download locations and version to get the new version in place.
- This concept was another difficult one for me to wrap my head around at first.
- When you query a client - you query the client not information stored on the server about the client. So even if the server has information about the client in it's database it isn't used for new queries...you have to wait for the client to report it's information.
- The reason why is that it provides for a less complex infrastructure and more accurate results
- Clients check with the server to get the logic it needs to process and then reports the results back. The infrastructure is very simple to setup. Install top level server, attach a database, install relays (which can also be clients), and then push the clients out. No need for lots of services to be installed, AD Scheme changes.
- Using relevance it was easy to logically organize computers based on attributes, names, users, programs installed, registry values, flag files. No changes were made to AD: no new groups created, no reliance on location in OU's. It was incredibly flexible.
- Ability to read/parse XML, INI, JSON files using standard document navigations native to each in order to build action relevance and to make changes via action script.
- Where we used BigFix we used very little Active Directory Group Policies. We created Policies in BigFix that would evaluate on our schedule and if it found that reg values, files, permissions, services, etc were not in the configured state - run the job and correct the configuration. No delays at logon while group policies refreshed, no worrying about machines having issues processing group policy.
http://support.bigfix.com - Inspector Relevance - has great documentation on the relevance language and links to the documentation for BigFix ActionScript. The Fixlet debugger may be downloadable without a login from BigFix and you can experiment with the language and power of it (some items won't work without a BigFix client installed which requires a license).
RSS Feed